Donald Kwakkel created CXF-6479:
-----------------------------------
Summary: Denial of Service: Regular Expression in StringUtils
Key: CXF-6479
URL: https://issues.apache.org/jira/browse/CXF-6479
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 3.1.1
Reporter: Donald Kwakkel
Untrusted data is passed to the application and used as a regular expression.
This can cause the thread to over-consume CPU resources.
org.apache.cxf.common.util.StringUtils
{code}
String separator = getSeparator();
return StringUtils.split(c, separator);
{code}
Where separator is provided by CacheControlHeader:
{code}
Object sepProperty =
message.getContextualProperty(CACHE_CONTROL_SEPARATOR_PROPERTY);
{code}
There is a vulnerability in implementations of regular expression evaluators
and related methods that can cause the thread to hang when evaluating repeating
and alternating overlapping of nested and repeated regex groups. This defect
can be used to execute a DOS (Denial of Service) attack.
Example:
(e+)+
([a-zA-Z]+)*
There are no known regular expression implementations which are immune
to this vulnerability.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
